Wednesday, August 1, 2012

Multi-Factor Authentication using SSH

While setting up a new Linux server I got the idea to increase the security to multi factor authentication rather then just a simple password. A search of the Tubes didn’t reveal an adequate guide on how to best go about this. This post is due to the lack of guide in the hope it will save you a little time and help increase your security.

Goal:
I wanted to be able to utilize multi factor authentication from multiple workstations running different operating systems (naming Windows & Linux). Also, I will not be the only one using this form of authentication so I needed to make it shareable with team.

To accomplish these goals I selected SSH, using a public / private key along with a passphrase on the key; hence giving me two factors (something I have and something I know).

I know what some people will be saying at this point, “this has been done before and there’s tons of posts..” Well it is true that public / private keys are not new to SSH, generally they are used without a passphrase (for automation) and they are generated from the client side. In this example I will generate the RSA keys on the server and then transport the private key to the client I want to utilize it on.

The Setup:


Steps:
The following commands will do the following (in order)

1) Create an account named ServiceAccount
2) Set password for the ServiceAccount
3) Change user and “become” the user ServiceAccount
4) Generate the RSA keys
- Save the key to the default location
- Set a passphrase that is strong but you can remember
5) Put a copy of the public RSA key into the authorized_keys file
6) Change the security on the authorized_keys file
7) Become root (or another user that has sudo access)
8) Make a backup of the sshd_config file before we modify it
9) Make the following modifications to sshd_config file
10) Restart the sshd demon
11) Copy the private key to your remote client (in my case this was a Linux box)
12) Connect from the remote Linux workstation

Commands:

Useradd ServiceAccount
passwd ServiceAccount
su ServiceAccount
ssh-keygen –t rsa
   ## Save the keys to the default location (/home/ServiceAccount/.ssh)
   ## Set a strong passphrase when prompted
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
su -
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
vi /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthenticaion no
PubKeyAuthentication yes
service sshd restart
scp ~/.ssh/id_rsa UserName@Client:~/ServiceAccount_RSA
ssh –i ~/ServiceAccount_RSA ServiceAccount@Server

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)